Answered by:

AD accounts randomly locking out

Question

Alright, so I have had this issue ever since I started at my current company, and have actually never seen this before. All our clients are Windows 7 with all servers being Windows 2008 Server Standard and R2. All service packs and updates/patches
applied.

So there are a handful of users that at one point or another have their AD accounts lockout while they are not even at their computers. They might be away at lunch and come back and their account is locked. They could also be working on their
computer, and as they are working they realize Outlook has disconnected from Exchange because their account has become locked. Sometimes this can happen MANY times a day, and sometimes a user can go days inbetween lockouts.

There is absolutely no rhyme or reason to when this happens, and I can tell you that their accounts are not getting locked out because of failed login attempts. It just happens.......with no user intervention.

The only temporary fix I have is to have the user logout, then go to switch user - other user and then log in "fresh". And this fix sometimes works for days, sometimes weeks, sometimes it permanently fixes a user, and then sometimes it only fixes it
for a few hours.

There may be many causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

If user id is getting frequently locked out use theEventcomb
LockoutStatus.exeto determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services
to nail down or log user out of the system identified if logged in.

It could be a prankster doing it. I remember there was this one guy that kept using my workstation after I left for the day. I would have a utility running to gather info overnight, expecting to see the results in the morning. This guy would turn my workstation
off, then log himself in. Of course he would log out, but I can see his name as the last logged on user. So what I did for 3 days straight, is jsut put any old thing in the password field and hit enter, for 3 times, locking his account. I saw him later on
and asked, hey, any problems with your account? Yea, how did you know. I told him, and just kind of laughed over it saying my workstation just happened to be convenient to use. I said if you need my workstation, no problem, just text or call me to ask
to make sure I have nothing running on it.

As for your random issues, maybe a prankster could be doing just this. You would need to enable auditing to get the user account failure with what IP address it's coming from, assuming it's from a different workstation.

Another possibility is that the account is being used for a service, but the password isn't getting manually changed when the account password changes. You'll want to check the machine of that user to verify that. YOu can dump the service account credentials
into a text file to see if anything's up with that. See the batch file at the bottom of this post.

.

.

One more possiblity is malware or a virus, such as the Conficker virus, which can also result in lockouts:

You can also set the debug flag on NetLogon to track authentication. "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon servicehttp://support.microsoft.com/kb/109626

How to use the EventCombMT utility to search event logs for ...This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.http://support.microsoft.com/kb/824209

You can dump your service account credentials with the following batch file on all DCs or any other machine that you suspect a service is using the account name in question.

Save it as whatever.bat, and run it. In Windows 2008 or newer, run it as an administrator.
***
@echo off
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | find /i "objectname" >services.txt
notepad services.txt
exit
***

There may be many causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

If user id is getting frequently locked out use theEventcomb
LockoutStatus.exeto determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services
to nail down or log user out of the system identified if logged in.

It could be a prankster doing it. I remember there was this one guy that kept using my workstation after I left for the day. I would have a utility running to gather info overnight, expecting to see the results in the morning. This guy would turn my workstation
off, then log himself in. Of course he would log out, but I can see his name as the last logged on user. So what I did for 3 days straight, is jsut put any old thing in the password field and hit enter, for 3 times, locking his account. I saw him later on
and asked, hey, any problems with your account? Yea, how did you know. I told him, and just kind of laughed over it saying my workstation just happened to be convenient to use. I said if you need my workstation, no problem, just text or call me to ask
to make sure I have nothing running on it.

As for your random issues, maybe a prankster could be doing just this. You would need to enable auditing to get the user account failure with what IP address it's coming from, assuming it's from a different workstation.

Another possibility is that the account is being used for a service, but the password isn't getting manually changed when the account password changes. You'll want to check the machine of that user to verify that. YOu can dump the service account credentials
into a text file to see if anything's up with that. See the batch file at the bottom of this post.

.

.

One more possiblity is malware or a virus, such as the Conficker virus, which can also result in lockouts:

You can also set the debug flag on NetLogon to track authentication. "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon servicehttp://support.microsoft.com/kb/109626

How to use the EventCombMT utility to search event logs for ...This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.http://support.microsoft.com/kb/824209

You can dump your service account credentials with the following batch file on all DCs or any other machine that you suspect a service is using the account name in question.

Save it as whatever.bat, and run it. In Windows 2008 or newer, run it as an administrator.
***
@echo off
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | find /i "objectname" >services.txt
notepad services.txt
exit
***

If the multiple user ids are getting locked in AD this could be the sympton of
Win32/Conficker worm
On th DC check the security log event id 644(Win2003) or 4740(Win2008) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If
this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest virus defination is present all PC.

Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced
the same issue in my network.

Regards,
Sandesh Dubey.
-------------------------------
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.